A compromised administrator account or an admin becoming a disgruntled ex-employee is a source of serious risk to a business. This is because traditionally admins can do whatever they want, whenever they want. To address this issue, Microsoft have developed Privileged Access Management.
What is Privileged Access Management?
Privileged Access Management works on the principle of zero standing access. That means that admins don’t have the ability to perform potentially damaging actions all of the time.
When they need to perform a task that may expose sensitive data or has potential to cause a lot of damage, they will be given just enough access to complete the task. And even then, only for a specific time and only following an audited approval process.
You can define which tasks require a privileged access request via the admin portal.
When admins want to perform one of these tasks, they can raise their requests for access via the portal or via Powershell.
A sample Powershell request to perform tasks requiring privileged access approval looks like this:
New-ElevatedAccessRequest -Task 'Exchange\New-JournalRule' -Reason 'Setting Journal per request.' -DurationHours 4
Requests can be automatically or manually approved, and requestors are notified of the approval outcome via email. All privileged access requests and approval process information is recorded for internal reviews and auditors.
Privileged Access Management License requirements
Privileged access management requires Microsoft 365 E5, Office 365 E5 or the standalone Advanced Compliance SKU.
Microsoft have updated the Office 365 roadmap with some upcoming improvements to calendar sharing in Office 365.
Apart from being simpler, these new calendar updates are also great for separate companies who use Office 365 and share resources like meeting rooms.
The current external sharing options are difficult to configure and only update every 3 hours. However these new changes will allow for a simple, instantly syncing calendar sharing experience. Both internally and with external Office 365 & Outlook.com users.
Introducing a new service backed model for sharing calendars with other Office 365 subscribers that improves performance and reliability and keeps all calendars in sync.
This update came from our Azure function which monitors the Office 365 Roadmap, generates an image and triggers a Microsoft Flow Approval to collect our input. See our knowledge base for more examples of our business process automation.
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2016-09-16 09:42:172019-02-21 13:23:50How to Install Office from Office 365 – Updated Video
You can add your own branding to your users Office 365 login screens via the Azure admin portal. The level of customisation that you get depends on the version of Azure Active Directory that you’ve signed up for.
What’s Azure Active Directory?
Azure Active Directory might not sound familiar to you, though it underpins every Office 365 organisation. All of your Office 365 users are stored in your Azure Active Directory, which is included in Office 365.
How to set up the custom branding for Office 365 login screens
Click the App Launcher/Waffle button on the top left of the screen
Click the Admin tile
On the left menu, scroll down to Azure AD
You may need to sign up for an Azure subscription, though you won’t have to put any credit card details in yet.
Click Active Directory on the left menu once you’ve signed up.
Click the Active Directory that has the same name as your Office 365 subscription, you will likely only have one listed here. Ours is called Ozbizweb Group.
Click Configure, then click Customize Branding
The Customize Default Branding section gives you a few options to customise your Office 365 login experience.
Banner Logo
Size: 280 x 60 (Max is 300 x 60)
The Banner logo is the logo that appears above the Office 365 login fields. It supports JPEG, though a PNG image with a transparent background is recommended.
Square Logo
Size: 240 x 240
The square logo is used to represent user accounts in your organisation, on Azure AD web UI and in Windows 10. You should also add this one as a PNG with a transparent background, though JPEG is also supported.
Square Logo, Dark theme
Size: 240 x 240
You can upload a separate image for this one if the previous square logo won’t look good on dark backgrounds. Again, PNG with a transparent is recommended, though JPEG is supported.
User ID Placeholder
Typically, this is [email protected] and is shown in the user ID input field. You can replace this with [email protected] if you like. Though you should leave it blank if you’re making apps using Azure AD that will support external users.
Sign In Page Text Heading
This heading will appear above the customised sign in page text which can appear at the bottom of the Office 365 Sign in screen.
Sign In Page Text Body
This can be a short message at the bottom of the Office 365 login screen that can give more information to the users. You can use this to display welcome text, information about password resets, or contacting the helpdesk. This one can’t be longer than 500 characters (250-300 characters recommended).
Click the arrow to proceed to the next screen. This is where you can add the background image that will appear when a user enters their username.
Sign In Page Illustration
Size: 1420 x 1200
The message from Microsoft here is to use an abstract illustration or picture. Since the image gets resized and cropped, avoid using rasterized text and keep the “interesting” part of the illustration in the top-left corner. It can be a JPEG, GIF or PNG and should be about 300kb in size. Max size is 500kb.
Sign In Background Colour
Certain users may connect to Office 365 on low bandwidth connections, so you can customise the background colour of the Sign In Page Illustration section which will appear while the image loads. The default is the Office 365 orange/red, though this can be set to a hexadecimal colour code that suits your brand eg #73A2D1
Show or Hide Keep me signed in or KMSI
If you don’t want your users to choose to stay signed into devices, you can hide the ‘Keep me signed in’ checkbox here.
Post Logout Link Label
This is the link text that will appear when your users log out of Office 365. eg. Return to Ozbizweb Group website.
Post Logout Link URL
This is the URL that you’d like the Post Logout Link Label to redirect your users too. Eg. http://www.ozbizweb.com.au
Once you’ve applied your changes, click the Tick icon and wait for the changes to be applied.
You can test them out in an In-Private window (CTRL-Shift-P in Edge/Internet Explorer, CTRL-Shift-N in Google Chrome). Just enter your email address, and you should see some of the changes are taking effect. Note that it may take up to an hour to see your branding changes.
The free tier of Azure Active Directory doesn’t appear to display all the customised branding elements. Though some of them, like the Banner Logo and custom background colour before the Sign In Illustration loads, do appear.
Want to see all your Office 365 login screen branding?
Displaying all of your branding changes is one of the many benefits of Azure Active Directory Premium, and the good news is that you can try it out for free. If you decide that you don’t want to go ahead with Azure Active Directory Premium for all your users, and just want it for the branding, you can assign it to just one user. This seems to enable all the custom branding elements for all users in your organisation.
Here’s how to activate an Azure Active Directory Premium Trial
In the Azure portal, click the quick start cloud icon.
Scroll down to Get Azure AD Premium and click Try it now.
Click Activate Trial and the bottom of the screen.
Click the tick to get started. This trial will not auto-renew, and you won’t be charged after the 30 days are up.
Wait for the trial to start.
Make sure the Azure Active Directory Premium plan is selected and click Assign at the bottom of the screen.
You will be presented with a list of users in your organisation, mouse over the users and click the + icon to select them for license assignment.
Click the tick icon and wait for the License plan operation to complete.
Open an In-Private window, navigate to https://portal.office.com and enter a user’s email address. You should see all the branding changes you’ve implemented are now active!
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2015-12-20 12:00:192015-12-20 12:00:19How to add your branding to Office 365 login screens
We usually use Skykick for our Office 365 migrations as it helps us to automate the process and ensures a seamless transition onto Exchange Online. Occasionally Skykick will be unavailable to us, which is the case for a small migration I have underway.
The customer is migrating away from a Google Apps tenant that we don’t have administrative access to. This means we’re unable to set up the Google Service Account required by SkyKick, and have to migrate mail, contacts and calendars separately onto Office 365.
Since we have the usernames and passwords for the Google Apps/Google for Work accounts, we can run an IMAP migration within the Exchange Admin Centre. There are some instructions here that detail this process.
If the stars align for you, the migration will run without an issue. Though just in case things go wrong, here’s some solutions to some common IMAP migration issues.
Error: We had trouble signing into this account. Please confirm that you’re using the correct username and password.
If you’re receiving this error message and you’re 100% sure that all user details are correct, you may need to Allow less secure apps in the users’ Google Security Settings.
This will allow Office 365 to connect to your accounts via IMAP to download the mail.
E-mail migration batch “migrationname” has finished – with errors
If you try to run the migration again, you will probably get an error report via email that states E-mail migration batch “migrationname” has finished – with errors.
The error message tells you that the migration users already exist, and will need to be removed before we can migrate their mail. The usual method to do this would be to delete the Migration Batch from the Exchange Admin Center.
When attempting to delete the migration, you may notice that the migration is stuck with a status of Removing.
Removing a Migration Batch via PowerShell
To remove a Migration Batch that is stuck with a status of removing, you may need to remove it via PowerShell.
To do this, you’ll need to connect to Exchange Online via PowerShell
Run Get-MigrationBatch
You’ll get a list of the current Migration Batches. In my screenshot the status is Syncing, since I forgot to take a screenshot while it was stuck on Removing.
To remove a Migration that’s stuck on Removing or Corrupted, run Remove-MigrationBatch -Identity migrationname
Remember to replace name with the name of your migration.
If it still does not remove, run Remove-MigrationBatch -Identity migrationname -Force to force it’s removal.
The user “[email protected]” already exists, but the migration batch that includes it couldn’t be found
Unfortunately, if you try to run the migration again, you may get the following error in your emailed error report:
The user “[email protected]” already exists, but the migration batch that includes it couldn’t be found. Before you try migrating the user within a batch again, please remove the existing user by running the Remove-MigrationUser cmdlet.
At first I tried to remove all the migration users by signing into Exchange Online via PowerShell and running Get-MigrationUser to get a list of all the current migration users.
Then I ran Get-MigrationUser | Remove-MigrationUser
This gave me the following error message for each one:
Could not load the batch information for migration user ’[email protected]’. Associated migration subscription cannot be removed
To fix this, run Get-MigrationUser | Remove-MigrationUser -Force
You can run Get-MigrationUser again to confirm that there are no more registered Migration Users
Save yourself some time
If you want to save some time and force the removal of both Migration Batches and Migration Users, just run the following PowerShell commands in order:
Remember to replace migrationname with the name of your migration batch.
There are two ways to set up an Out of Office Automatic Reply when using Office 365. You can use Outlook, or the Outlook Web App.
Set up an Out of Office reply via Outlook
Open Outlook
Click File
Click Automatic Replies
Enter your Automatic Reply message
You can configure different automatic replies for senders inside or outside the organisation. You can also choose to send Automatic Replies indefinitely, or during a specific time frame.
You can configure different automatic replies for senders inside or outside the organisation. You can also choose to send Automatic Replies indefinitely, or during a specific time frame.
https://gcits.com/wp-content/uploads/gcit-logo-300x138.png00Elliot Munrohttps://gcits.com/wp-content/uploads/gcit-logo-300x138.pngElliot Munro2015-12-09 10:00:552015-12-09 10:00:55How to set up an Out of Office message in Office 365
Enter your Office 365 email address and password and tap Next.
Wait for it to show verified
Select the services you want to sync to your iPhone or iPad
Open the mail app on your phone to view your new mail account. Your Calendar will appear under the Calendar App, Contacts will appear under the Contacts app.
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them:
Requests can be automatically or manually approved, and requestors are notified of the approval outcome via email. All privileged access requests and approval process information is recorded for internal reviews and auditors.
